feat: Grant access to schema for role (#36) #37
Conversation
stephanpelikan
changed the title
|
Yeah, this needs to come with a test. Just look at the |
| return format("alter schema %I rename to %I", oldResourceId, resourceId) | ||
| Update: async (resourceId: string, oldResourceId: string, props: SchemaProps) => { | ||
| const sql: string[] = [] | ||
| // TODO: revoke old role-name if props.RoleName was removed or changed |
There was a problem hiding this comment.
Yeah, that needs doing (and be tested).
There was a problem hiding this comment.
You did those notes as well:
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L118
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L160
If the handler would be prepared to get old props as well I would have done this check. It is out of the scope of this little change to refactor the handler.
src/handler.ts
Outdated
| Delete: (resourceId: string, props: SchemaProps) => { | ||
| const sql: string[] = [] | ||
| if (props.RoleName) { | ||
| sql.push( |
There was a problem hiding this comment.
You're repeating yourself a lot, so please put the grant + revoke schema into their own function, so you can call that instead of copying the same code.
There was a problem hiding this comment.
You're doing the same in may other places:
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L100
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L145
and
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L187
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L211
and
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L211
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L140
However, I moved the statements into functions.
|
The tests you did are quite easy to achieve. It is hard to figure out about those grants. I still searching for those queries which can be used for tests... |
stephanpelikan
force-pushed
the
feature/schema-role-issue-36
branch
from
0bc68b8
to
9c23d06
Compare
|
I found a way to test for those grants on stackoverflow. I added the test and I hope it is sufficient. |
|
I have another idea: should we introduce a concept like schema access or so? That can do what your role property does. Would make it easier to grant access to the schema to more roles, as this just handles only the one role case. What do you think? Will have a look at your changes later. |
|
Well yes. But this also applies to databases. I use one RDS serverless instance for all app in my Kubernetes cluster. Within that instance I create a database per application. I only use the What I often do is: Keep it simple for the simple case and provide a more flexible way for more complex scenarios. For that simple scenario I would change the interface RoleGrantProps {
provider: Provider
role: Role | Role[]
target: Database | Schema
grants: 'all' | 'readonly' | string | string[]
}For the custom grants I don't know enough about what is typically needed. Maybe it is the best the simply allow grant-SQLs here. Hower, I build CDK stacks for a customer as a draft and would need something released. If you don't want to release the current version in preference of a separate construct, then please let me know so I can replace the new |
|
Merged, thanks for all the work @stephanpelikan. I agree, we can improve things later. |
Fixes #36
Tests are missing since I don't know how to test this, write them and unfortunately my time is limited. I've tested the code for creating and deleting a schema manually in my project successfully.